How to view Permissions for any object in Active Directory?

Read on to know how to view permissions for any object in Active Directory (AD) using PowerShell and how you can get it done easily with ADManager Plus.

Windows PowerShell

  • Identify the domain where the object, for which the permissions are to be viewed, is located.
  • Create and compile the script for viewing the permissions for the AD object . Execute the script in PowerShell.
  • Sample script for changing the password setting to 'user must change pass word at next logon' for an AD user account:
$securityreport = @()
$schemaGUID = @{}
$ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaGUID=*)' -Properties name, schemaGUID | ForEach-Object {$schemaGUID.add([System.GUID]$_.schemaGUID,$} Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | ForEach-Object {$schemaGUID.add([System.GUID]$_.rightsGUID,$} $ErrorActionPreference = 'Continue' # Get a list of AD objects. $AOs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) $AOs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName $AOs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree -LDAPFilter '(objectClass=*)' | Select-Object -ExpandProperty DistinguishedName ForEach ($AO in $AOs) { $securityreport += Get-Acl -Path "AD:\$AO" | Select-Object -ExpandProperty Access | Select-Object @{name='organizationalunit';expression={$AO}}, ` @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaGUID.Item($_.objectType)}}}, ` @{name='inheritedObjectTypeName';expression={$schemaGUID.Item($_.inheritedObjectType)}}, ` * } # Filter by single user and export to a CSV file. $User ='Username' $securityreport | Where-Object {$_.IdentityReference -like "*$User*"} | Select-Object IdentityReference, ActiveDirectoryRights, OrganizationalUnit, IsInherited -Unique | Export-Csv -Path "D:\report\permissions.csv" -NoTypeInformation
Click to copy entire script

ADManager Plus

  • Navigate to Reports > Security Reports > AD objects accessible by Accounts.
  • Select the Domain and the User Account(s) you wish to view the permissions for. You can even import this list from a CSV file. Click Apply.


Get Permissions of all the Active Directory Objects using ADManager Plus

» Start 30-day Free Trial

This reports gives insights on the access permissions of an AD account.

Although viewing permissions for AD objects with native tools like PowerShell looks simple, it comes with a few limitations:

  • The PowerShell script can be run only from the computers which have the Active Directory Domain Services role installed in them.
  • In case permission for other AD objects are required, a new and complex script needs to be written.
  • The syntax, parameters and iterations need to be correct. A typo or incorrect syntax might be difficult to spot and rectify, especially when the script is a long one.

ADManager Plus lets you perform the same with a few clicks from its web-based GUI console. It also has options for scheduling and automatically emailing the reports. Learn more about it AD Permissions reporting.

Gain complete control over NTFS permissions and file shares with purpose-built reports.

  Get 30-day free trial.
  • Embark on your script-free AD management, reporting, and automation journey with ADManager Plus.
  • By clicking 'Start your free trial now', you agree to processing of personal data according to the Privacy Policy.
  • Thanks
  • Your download should begin automatically in 15 seconds. If not, click here to download manually.

Related Powershell How-to Guides:

Email Download Link